Closed mhatelus closed 2 years ago
It looks like you have some special characters in the data. Try a command like this to see if characters are what you think they are:
$ hexdump -C
[2001:0db8:85a3::4]:1812 other6-secret 3 [2001:0db8:85a3::3] vrf-red
00000000 5b 32 30 30 31 3a 30 64 62 38 3a 38 35 61 33 3a |[2001:0db8:85a3:|
00000010 3a 34 5d 3a 31 38 31 32 20 20 20 20 6f 74 68 65 |:4]:1812 othe|
00000020 72 36 2d 73 65 63 72 65 74 20 20 20 20 20 20 33 |r6-secret 3|
00000030 20 20 20 20 20 20 20 20 20 20 20 20 5b 32 30 30 | [200|
00000040 31 3a 30 64 62 38 3a 38 35 61 33 3a 3a 33 5d 20 |1:0db8:85a3::3] |
Confirmed that the characters are correct in the pam conf file.
hexdump -C
[2001:100:100:100::1]:1812 secret 5
00000000 5b 32 30 30 31 3a 31 30 30 3a 31 30 30 3a 31 30 |[2001:100:100:10|
00000010 30 3a 3a 31 5d 3a 31 38 31 32 20 73 65 63 72 65 |0::1]:1812 secre|
Which version are you using? Because the most recent one handles IPv6.
I'm running the most recent version of libpam-radius-auth via 1.4.0-3:
user:~$ sudo apt upgrade libpam-radius-auth Reading package lists... Done Building dependency tree Reading state information... Done libpam-radius-auth is already the newest version (1.4.0-3). Calculating upgrade... Done 0 upgraded, 0 newly installed, 0 to remove and 0 not upgraded.
@mhatelus So, using the latest code we have the below test against the Ubuntu 21.04
# grep -vE "^(#|$)" /etc/pam.d/sshd
auth sufficient pam_radius_auth.so debug conf=/etc/pam_radius_auth.conf
account required pam_nologin.so
@include common-account
session [success=ok ignore=ignore module_unknown=ignore default=bad] pam_selinux.so close
session required pam_loginuid.so
session optional pam_keyinit.so force revoke
@include common-session
session optional pam_motd.so motd=/run/motd.dynamic
session optional pam_motd.so noupdate
session optional pam_mail.so standard noenv # [1]
session required pam_limits.so
session required pam_env.so # [1]
session required pam_env.so user_readenv=1 envfile=/etc/default/locale
session [success=ok ignore=ignore module_unknown=ignore default=bad] pam_selinux.so open
@include common-password
#
# grep -vE "^(#|$)" /etc/ssh/sshd_config
Include /etc/ssh/sshd_config.d/*.conf
ChallengeResponseAuthentication yes
UsePAM yes
X11Forwarding yes
PrintMotd no
AcceptEnv LANG LC_*
Subsystem sftp /usr/lib/openssh/sftp-server
#
/etc/pam_radius_auth.conf
# grep -vE "^(#|$)" /etc/pam_radius_auth.conf
[fd00::242:ac11:2] testing123 3
#
ie.: Did the same tests adding the port like: [fd00::242:ac11:2]:1812
Testing the ssh authentication using ssh -l ubuntu ::1
We'll see the below logs from pam_radius_auth
# tail -f /var/log/auth.log
Oct 26 14:51:49 devbox-ubuntu_2104 sshd[7322]: pam_radius_auth: Got user name ubuntu
Oct 26 14:51:49 devbox-ubuntu_2104 sshd[7322]: pam_radius_auth: ignore last_pass, force_prompt set
Oct 26 14:51:51 devbox-ubuntu_2104 sshd[7322]: pam_radius_auth: Sending RADIUS request code 1
Oct 26 14:51:51 devbox-ubuntu_2104 sshd[7322]: pam_radius_auth: DEBUG: get_ipaddr(fd00::242:ac11:2) returned 0.
Oct 26 14:51:51 devbox-ubuntu_2104 sshd[7322]: pam_radius_auth: Got RADIUS response code 2
Oct 26 14:51:51 devbox-ubuntu_2104 sshd[7322]: pam_radius_auth: authentication succeeded
Oct 26 14:51:51 devbox-ubuntu_2104 sshd[7320]: Accepted keyboard-interactive/pam for ubuntu from fd00::242:ac11:2 port 42748 ssh2
Oct 26 14:51:51 devbox-ubuntu_2104 sshd[7320]: pam_unix(sshd:session): session opened for user ubuntu by (uid=0)
Therefore, probably you have something different in your setup, or that mentioned version is broken. Please, try the latest code.
e.g:
# git clone https://github.com/FreeRADIUS/pam_radius
# cd pam_radius
# make
# install -m 0644 pam_radius_auth.so /lib/security
And follow the previous steps and let us know if you might still facing issues.
@jpereira
Hi jpereira,
The steps you recommended fixed the issue for me. My question is, how do I verify if the version was broken? Before opening the ticket here, I validated the version of the library via dpkg command, see below. Is there another command I should be using to confirm the version of the pam_radius_auth.so file?
t927922@server:~/pam_radius$ dpkg -l | grep pam ii libpam-cap:amd64 1:2.32-1 amd64 POSIX 1003.1e capabilities (PAM module) ii libpam-modules:amd64 1.3.1-5ubuntu4.3 amd64 Pluggable Authentication Modules for PAM ii libpam-modules-bin 1.3.1-5ubuntu4.3 amd64 Pluggable Authentication Modules for PAM - helper binaries ii libpam-radius-auth 1.4.0-3 amd64 PAM RADIUS authentication module ii libpam-runtime 1.3.1-5ubuntu4.3 all Runtime support for the PAM library ii libpam-systemd:amd64 245.4-4ubuntu3.13 amd64 system and service manager - PAM module ii libpam0g:amd64 1.3.1-5ubuntu4.3 amd64 Pluggable Authentication Modules library ii libpam0g-dev:amd64 1.3.1-5ubuntu4.3 amd64 Development files for PAM
@jpereira
Also, thank you for solving this case. Along with the others who have commented in the thread so far, I appreciate your help in looking at this issue.
No worries. we are doing some improvements that are coming up soon. about your problem, you need to remove the dpkg -P libpam-radius-auth
and install the modules following the mentioned steps:
# git clone https://github.com/FreeRADIUS/pam_radius
# cd pam_radius
# make
# install -m 0644 pam_radius_auth.so /lib/security
i.e: We did several improvements against the master branch.
fyi, if anybody is running into this issue in the future, I also had to run the following commands on a new linux box:
git clone https://github.com/FreeRADIUS/pam_radius _cd pam_radius sudo apt-get install build-essential ./configure make sudo install -m 0644 pam_radiusauth.so /lib/security
for sure @mhatelus , therefore we could consider this ticket as done and close it.
fyi, if anybody is running into this issue in the future, I also had to run the following commands on a new linux box:
git clone https://github.com/FreeRADIUS/pam_radius _cd pam_radius sudo apt-get install build-essential ./configure make sudo install -m 0644 pam_radiusauth.so /lib/security
I just want to clarify for future people who will read this thread as I find it a bit confusing.
IPv6 support is included in pam_radius since version 2: https://github.com/FreeRADIUS/pam_radius/blob/release_2_0_0/Changelog
You apparently use a version of Debian or Ubuntu which has version 1.4 so it's no suprise that it's not working. That's why you have to compile recent version 2 from source.
If you use a recent Debian or Ubuntu version as 11 (Bullseye) or 21.04 (Hirsute Hippo) respectively libpam-radius-auth version 2 is included and it works. Ubuntu 22.04 LTS will also contain it for sure. No need to compile it from source in this case.
Recent in Debian or Ubuntu never means recent upstream version. This should be quite basic Linux sysadmin knowlegde.
Hi,
I'm trying to configure IPv6 radius servers in the pam_radius_auth.conf file and am having issues. I was previously using IPv4 servers and it was working well. I followed the comment guidelines in the conf file to add in the new IPv6 servers, but when I go to test radius authentication using ssh, it fails.
When reviewing the log file "/var/log/auth.log", I see that the pam_radius_auth process fails to process the IPv6 address and does a check on "[2001", instead of the full IPv6 address I added: _Oct 15 20:36:27 SERVER sshd[3761091]: pam_radius_auth: Failed looking up IP address for RADIUS server [2001 (errcode=9) Oct 15 20:36:27 SERVER sshd[3761091]: pam_radius_auth: Failed looking up IP address for RADIUS server [2001 (errcode=9) Oct 15 20:36:27 SERVER sshd[3761091]: pam_radiusauth: All RADIUS servers failed to respond.
Configuration used in "pam_radiusauth.conf" (tried using no brackets and no specific port, but issue is the same): [2001:100:100:100::1]:1812 secret 5 [2001:100:100:101::2]:1812 secret 5_
I also updated the "libpam-radius-auth" library to latest version 1.4.0-3, but does not help with the issue: user:~$ sudo apt upgrade libpam-radius-auth Reading package lists... Done Building dependency tree
Reading state information... Done libpam-radius-auth is already the newest version (1.4.0-3). Calculating upgrade... Done 0 upgraded, 0 newly installed, 0 to remove and 0 not upgraded.
Is IPv6 compatible for the radius server list? Wanted to check if this is a known issue or if there is something else that is wrong.
Thanks,